Office 365 Licensing: How Did I Enable EMS For 6000 People in 10 Minutes?

The growth of SaaS apps brings another waterfall of tasks and risks for IT and compliance departments – the hell of managing those on-line licenses. Who gets what kind of license? When does it get revoked? How can we optimize its usage? Who should physically assign those? There might be something to it if 8 out of 10 links on the first page of Google query for office 365 licenses management lead to automation tools.

This is actually one exact answer to the above questions – AUTOMATION. You don’t want to do it on your own or even delegate it to your team members or helpdesk personnel. They have better things to do in life, right?

I thought about it today while helping one of our customer in pharmaceuticals to configure license assignment for their newly purchased Enterprise Mobility Suite licenses. We got the request to enable them for all active users now and in the future. And, of course, to revoke them when they are not needed (why pay for something which is no longer in use?)

It took me 10 minutes to accomplish this task. What’s more – it will be working for each and every new person as well. AUTOMATION.

There are at least three ways to easily handle this task without anyone being involved daily.

PowerShell scripting

Azure AD Premium license management

Microsoft Identity Manager

Let’s have a quick overview of all of them with their advantages and bumps.

PowerShell scripting

This is where everyone starts when it comes to license automation. It is easy. Start with the documentation from the Internet. There is plenty of examples how to do this. Customize it to your needs. Done! Life is easy now.

Few things to consider here:

As any other scripting solution, it requires maintenance. It will contain some business rules. Make sure you have them documented. There is nothing like trying to figure out why it works this way when someone is not getting their e-mail.

It requires some place to be run. It is a script, so it needs some environment to be executed in. Put it somewhere it will not get easily disrupted. If you have Azure environment, using Azure Automation or Azure Functions provides a great and simple-to-use environment for this purpose. Without the need to provision dedicated machine for it. Or, what is worse, run it on the author’s computer.

It requires some privileges. Make sure those are not just stored lightly within the script. Again – Azure Automation provides the environment for that kind of things to be stored, or use Azure Key Vault.

Aaaand it’s done. You wrote it. You put it to work. Nothing left.

Well, in the end, life is a bit more complicated. Usually, there is a need for some business rules in there. And these are changing.

Moreover, someone will need a way to check why this license was assigned. With PowerShell, there is no easy way to look into it for helpdesk people.

And actually – is scripting all that IT can come up with? (It is in many cases a “good enough” solution).

Azure AD Premium

PowerShell is a pretty good solution, but it requires maintenance and space. Can we make it better? Azure AD comes to help.

Azure AD has a built-in license management feature which is in preview at the time of writing. It is allowing you to assign various types of licenses for users – among others, licenses for Office 365 or EMS.

When in Azure AD tenant (using old portal), go to the Licenses tab, and you will see licenses existing in your directory.

Click on it, and you will be able to assign a license to a particular user or a group.

Hey! Wait! Am I saying you will have to “ASSIGN”? Manually? Really?

You can do that, but the deal is to get rid of it. And to do this we can combine this capability with another Azure AD Premium;

Create a dynamic group that will automatically manage your users

Assign license to this group.

This way you will have a dynamic way of assigning people to various licenses – like we have at Predica (inherited = group based).

This can be combined with other capabilities like self-service groups to create license management vehicle in Azure AD.

The group can also be managed on-premises and synchronized to Azure AD where membership will grant the right license to people. When you remove a person from the group – the license is gone.

Changes to this mechanism are coming to bring license management to the new portal and provide more granular options to assign licenses plans in UI.

Microsoft Identity Manager

We have gone through PowerShell (scripted, custom), Azure AD (feature, product based) ways to manage licenses. There is always the third way – let’s explore this now. License management is often a task to assign to IAM teams maintaining employee identities. Those teams usually have some tools to use. And this very tool I’m talking about easily automates your tasks.

Hey – maybe it can also automate license management.

This is a common request which we fulfill for customers using Microsoft Identity Manager (MIM). It is not exclusive for MIM – if you have another identity management tool you can also do this – you will easily find an implementation for ForgeRock (where we can also help you BTW).

With on-premises identity management tool you can take two strategies for Office 365 licenses management;

Use it to manage on-premises groups membership, synchronize these groups to Azure AD and use Azure AD feature to manage licenses

Use it with a combination of PowerShell or Graph API to manage licenses directly.

The first approach is simple – it connects both solutions I have mentioned earlier. You manage group membership on-premises (every IAM tool will let you do this) and then use AAD Connect to synchronize group membership to Azure.

In Azure, you can assign a license to the group, and that’s it.

If you need more flexibility and granularity in license management, you can take advantage of MIM as identity management tool and connect it directly to Azure AD for license management.

This requires a connector – management agent. There is one built-in into the product, but luckily, we have a community for that. Soren Granfeldt has created flexible PowerShell connector for MIM which is up to the task.

When you have the connection from MIM to O365, you can easily create a process of assigning licenses in MIM either manually or through automated business rules.

MIM allows you to create rules allocating licenses based on employee type, location, and other user attributes. And then can carry on this information to Azure AD either through groups or directly through license assignment.

MIM provides the end-user portal with which you can assign licenses directly. In many cases, there are standard licenses assigned to users and some additional products to be assigned on-demand. In this case, MIM allows you to provide this option either for a user as self-service or delegated to manager or helpdesk.

If you have existing MIM setup and you want to include this option for your users, just contact us. We might have something ready for you.

Two points to mention here:

Yes, it requires some configuration. It is not out of the box feature. Still, it is not a massive project and can save you tons of work hours.

MIM requires a license for users (CAL) if you want to use MIM portal to manage licenses. If you have a source of assignments and just want to synchronize it to Office 365, it is license fee free. MIM Synchronization Service, required for automation, is a part of Windows Server license. With a little planning ahead, the synchronization engine might just be enough for a task.

If you have Azure AD Premium you are licensed for MIM anyway – in that case, it is worth exploring to manage licenses this way.

Well, time to answer a question from the title of this post…

How did I enable EMS for 6000 in 10 minutes? Office 365 licensing comparison

As simple as that. Our customer had license management with MIM deployed. I had to create licensing option and assign it to people. It takes around 10 minutes to do this in this setup.

Can We Stay In Touch? Managing Customer Consent In Dynamics 365

Why do you have to find a new job?

A Cloud Without Borders: Managing Mergers And Acquisitions [Part 2]

Hello!

My name is Tom and I’m really happy to see you on Predica Blog — the pro’s guide to make the most of your IT. This is the place where the IT professionals meet to not only deepen their knowledge in Microsoft technologies… but also to network and find innovative IT solutions for their businesses. If you’re an IT architect or a Security Officer looking for answers to your long list of questions on improving the IAM performance, moving to mobile, or embracing the cloud environment (you name it) then you’re in the right place. You’ll find here tutorials, eye-opening insights, case studies… and much more. If you like what you see (and hate missing out), just follow our digest to stay always up-to-date.
Enjoy!